July 16, 2025
By Hira Javed; Lynn Parker Dupree

California courts have seemingly broadened the scope of privacy actions brought under the data breach section of the California Consumer Privacy Act (CCPA). While actions for violations of other provisions of the CCPA may be brought by the California Privacy Protection Agency, individuals may file suit for personal information data breaches.[1] Specifically, “any consumer whose nonencrypted and nonredacted personal information, . . . or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . may institute a civil action . . . .”[2]
While practitioners understood this provision to be specifically related to data breaches, some California courts have begun to allow claims under this provision to survive preliminary motions, even where the facts alleged do not include breach specifically, and instead assert the claim based on the disclosure of personal information without consent due to the business’s failure to maintain reasonable security practices.[3] For example, in a March 2025 ruling on a motion to dismiss in Shah v. Capital One, the Northern District of California granted-in-part and denied-in-part Capital One’s motion to dismiss, particularly finding that the plaintiffs had stated a claim with respect to allegations under the CCPA despite not alleging a data breach.[4]
In this instance, the Plaintiffs in this class action asserted 17 causes of action based on allegations that the financial institution unlawfully disclosed their personal information, financial information, and communications to third parties through tracking software embedded on the Capital One website.[5] The Court found that because these trackers were used and transmitted Plaintiffs’ personal and financial information, the plaintiffs did not need to allege a data breach to maintain the CCPA claim.[6]
Previous California decisions have held similarly. In another Northern District decision, M.G. v. Therapymatch, the court held that a CCPA claim could survive a motion to dismiss where the plaintiffs alleged disclosure of personal information, including confidential medical and health insurance information via online tracking tools.[7] In Ramos v. Wells Fargo Bank, N.A., a Southern District court held that the plaintiff was not required to plead that there was a data breach and found the plaintiff’s CCPA claim sufficient to file a motion to dismiss because the plaintiff alleged that unknown individuals accessed information regarding his savings account due to the bank’s failure to implement and maintain reasonable security procedures.[8]
These decisions indicate a changing landscape in privacy litigation under the CCPA. Companies should take extra care to ensure they understand the data collected and shared with third-party tracking tools on their websites, obtain consent when required, and work to ensure that their privacy policies are up-to-date and can account for any transmission of personal or sensitive information.
[1] Cal. Civ. Code §§ 1798.150, 1798.199.10.
[2] Id. § 1798.150(a)(1).
[3] Shah v. Capital One, 768 F.Supp.3d 1033, 1048-49 (N.D.Cal. 2025).
[4] See id. at 1048-49, 1053-56.
[5] See id. at 1042-43, 1048-49.
[6] See id.
[7] 23-cv-04422-AMO, 2024 WL 4219992, at *7 (N.D. Cal. Sept. 16, 2024).
[8] 23-cv-0757-L-BGS, 2023 WL 5310540, at *2 (S.D. Cal. Aug. 17, 2023).
Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients.
Webinar
Early Motions in Trade Secret Litigation – Offensive and Defensive Insights
July 15, 2026
Webinar
Federal Circuit IP Blog
July 8, 2026
Federal Circuit IP Blog
July 8, 2026
Webinar
Inventive Step in Europe and the US: Comparing the UPC, EPO and National Approaches
July 8, 2026
Webinar
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.